- From: Mountie Lee <mountie@paygate.net>
- Date: Wed, 26 Nov 2014 11:14:40 +0900
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: Martin Paljak <Martin.Paljak@ria.ee>, "public-web-security@w3.org" <public-web-security@w3.org>
- Message-ID: <CAE-+aYLWYbmxu6Piwc1BYPWYTMwygjPKjQVbpt2O0ugV1Dk8yg@mail.gmail.com>
In my industries, they have big interest for Microsoft's proposal. it actually touching important concepts 1. Key Ownership - the design principle of current webcrypto api is "key provisioner (aka the server) has the key ownership" - if the key is owned by server side, the key will be bound into same origin policy - if the key is owned by user, the key can be used on multiple origins - different principle of key ownership is also touching secure elements at client side. I believe the Web should be User Centric 2. Certificate Management - the suggested API seams workable for CMP (Certificate Management Protocol) 3. Secure Computing Environment - when the PC was compromised, SCE will protect sensitive client side resources. best regards mountie On Mon, Nov 17, 2014 at 4:14 PM, Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > On 2014-11-17 07:25, Martin Paljak wrote: > >> Hello, >> >> >> Huge thanks to the creators of this presentation! I feel that parts of it >> target exactly the same sector (signatures with existing tokens) and >> direction and mindset and resulting functionality that we are using within >> Estonia and this makes a perfect collaboration target for us. This is >> similar to what we currently target with "proprietary" (but open source) >> plugins, just need to work on harmonizing the API to get comparable real >> life functionality. >> > > Hi Martin, > > Although the details are quite sketchy I have tried to "decipher" the > documentation. These are my findings: > > It *seems* that relying party code has direct API access (which *not* the > case with plugins). > > That is, it appears that *users* would need to decide (per site) if a > site's *client code* is to be trusted or not. > IMO, issuers like banks would probably not accept such an arrangement. > > OTOH, I may have gotten it all wrong due to the limited documentation :-) > > Cheers, > Anders > > > >> Things like UI are still unclear from the slides but something that can >> be worked upon. >> >> >> Best, >> Martin >> ________________________________________ >> From: GALINDO Virginie [Virginie.Galindo@gemalto.com] >> Sent: Wednesday, November 12, 2014 11:33 >> To: public-web-security@w3.org; public-webcrypto@w3.org; >> Jeff.Hodges@PayPal.com; Anders Rundgren >> Subject: [WebCrypto.Next] Microsoft's Contribution >> >> Dear all, >> Please note that the contribution made by Israel and Vijay, related to >> certificate management is now available on the web crypto WG wiki, >> classified in the F2F meeting page, here https://www.w3.org/2012/ >> webcrypto/wiki/images/d/dd/CertAndKey_Management_ >> Requirements_for_WebCrypto_microsoft.pdf >> This will be discussed when the group will be re-chartering. >> Regards, >> Virginie >> ________________________________ >> This message and any attachments are intended solely for the addressees >> and may contain confidential information. Any unauthorized use or >> disclosure, either whole or partial, is prohibited. >> E-mails are susceptible to alteration. Our company shall not be liable >> for the message if altered, changed or falsified. If you are not the >> intended recipient of this message, please delete it and notify the sender. >> Although all reasonable efforts have been made to keep this transmission >> free from viruses, the sender will not be liable for damages caused by a >> transmitted virus. >> >> > > -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net
Received on Wednesday, 26 November 2014 02:15:28 UTC